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METHOD AND DEVICE FOR CRYPTOGRAPHICALLY PROCESSING DATA 

[0001] BACKGROUND OF THE INVENTION 

[0002] 1. Field of the Invention 

[0003] The invention relates to a method for 
cryptographically processing data, comprising feeding, to a 
cryptographic process, values, namely, the data and a key, 
and carrying out the process in order to form 
cryptographically processed data. Such method io generally 
known . 

[0004] 2 . Description of the Prior Art 

[0005] For cryptographically processing data, in 
practice there are often applied generally known processes. 
Examples of such cryptographic processes (algorithms) are 
DES and RSA [DES = Data Encryption Standard and RSA = 
Rivest, Shamir & Adleman] , which are described, e.g., in 
the book "Applied Cryptography" by B. Schneier (2nd 
edition), New York, 1996. 

[0006] Said These processes are published since it was 
assumed that, in the event of sufficiently large key 
lengths, it would be impossible, on the basis of the 
processed data, to retrieve the original data and/or the 
key, even if the cryptographic process were known. 
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[0007] However, Gcryptographic algorithms can be 
attacked -the goal always is to find the encryption key in 
use- in different ways: (1) Mmathematical attacks like 
differential and linear cryptanalysis ; (2) Hhardware 
5 oriented attacks, called "Side Channel Attacks", viz. 

attacks based on power consumption analysis or I/O timing 
analysis . 

[0008] U.S. Patent No. 5,745,577 discloses a method for 
10 advanced key scheduling of a secret key. The aim is to 

offer a protection against said mathematical attacks 
(differential and linear cryptanalysis) by amending the 
encryption algorithm. Amending the algorithm will cause 
change of its output and thus the disclosed method does 
15 not present any improvement against paid the "Side Channel 

Attacks" . 

[0009] SUMMARY OF THE INVENTION 

20 [0010] The present invention aims to improve the 

protection of a cryptographic device against "Side Channel 
Attacks". In short, ea^rd— the improvement is achieved by 
masking the data and/or the key by means of generating 
extra, auxiliary input (data or key) and compensating its 

25 influence to the output by adding, to the "main" 

encryption process, an auxiliary (compensating) process. 
By oaid these masking measures^ it will be much more 
difficult to derive the value of data or key from the 
behavior of the power consumption of the cryptographic 

30 device. Said this masking, however, happens in such a way 

that the result of the process as a whole remains 
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unchanged: with the same input and key the amended 
algorithm results into the same, unchanged output. 

[0011] Thus^ the invention presents a n inventive 
5 method of the type referred to in the preamble according 

to the invention which is characterized by feeding, to 
the process, auxiliary values, while compensating, by 
means of an auxiliary process, the influence of the 
auxiliary values to the output data, in order to mask 
10 the values used in the process. 

[0012] By masking the date and/or keyCs)^ it becomes 
considerably more difficult to derive said their values 
on the basis of the behavior of the process. The result 

15 of the process, i.e., the collection of processed data, 

in the event of a suitable choice of the auxiliary 
values may be unchanged, i.e., identical to the result 
of the process, if no auxiliary values have been fed to 
it. In this connection, an "auxiliary value" is 

20 understood to mean a value (data or key) which is fed to 

the process as a supplement to the corresponding data 
and key. 

[0013] The invention is therefore based on the 
25 insight that the derivation of the values used in a 

cryptographic process is rendered considerably more 
difficult if said those values are masked using said the 
auxiliary values and said the auxiliary process. 

30 [0014] The invention is partly based on the further 

insight that the use of auxiliary values does not 
necessarily affect the outcome of the process. 
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[0015] In a first embodiment of the invention, an 
auxiliary value comprises a supplementary key which is 
fed to a supplementary process in order to form the key. 

5 

[0016] By applying a combination of a known process 
and a supplementary process, there is formed a new 
cryptographic process, unknown per se, even if the 
supplementary process is also known per se . 

10 

[0017] By deriving the key used for the known process 
(primary key) from a supplementary key (secondary key) 
using a supplementary process, there is achieved that not 
the (primary) key of the known process but the 
15 supplementary (secondary) key is offered to the combination 

of processes. In other words, externally the supplementary 
(secondary) key, and not the real (primary) key of the 
process proper, is used. Derivation of the key from the 
original data and the processed data has thereby become 
20 impossible. In addition, the derivation of the 

supplementary key has been rendered seriously more 
difficult, since the combination of the original process 
and the supplementary process is not known. 

25 [0018] Said The embodiment of the invention is therefore 

based, inter alia, on the insight that prior knowledge of a 
cryptographic process is undesirable, such is contrary to 
what was so far assumed. Said The embodiment is also based 
on the Ffurther insight that attacks which elaborate on 

30 knowledge of the process become considerably more difficult 

if the process is unknown. 
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[0019] The supplementary process preferably comprises a 
cryptographic process. This renders the derivation of the 
supplementary key more difficult. Basically, however, a 
simple encoding may be applied, e.g., as a supplementary 
5 process. In the event of a cryptographic process, there is 

preferably applied an auxiliary key. 

[0020] The supplementary process advantageously is an 
invertible process. This enables the application of the 

10 method according to the invention in existing equipment 

with minimum modifications. If, e.g., a first device 
gives off a (supplementary) key which is applied in a 
second device according to the invention, then in the 
first device there may be used the inverse of the 

15 supplementary process to derive the supplementary key 

from the original key. In other words, although in both 
the first and the second devices internally the original 
(primary) key is used, there is exchanged, between the 
devices, the supplementary (secondary) key. Intercepting 

20 the supplementary key, however, does not result in 

knowledge of the original key. 

[0021] It may be advantageous^ if carrying out the 
supplementary process takes place exclusively^ 4^ — that 
25 the data has predetermined properties. In this manner, 

cryptographic processing may be carried out for specific, 
selected data only, while such is blocked for all other 
data. In this manner, there is achieved a supplementary 
protection. 

30 

[0022] An optimum Further enhanced security is 
provided if the process and the supplementary process are 
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each constructed of several steps and in which there are 
alternately carried out steps of the process and the 
supplementary process. As a result, the properties of 
the known process are further veiled, as a result of 
5 which the derivation of the keys is further complicated. 

[0023] In a second embodiment of the invention, the 
process comprises several steps, each of which has a 
cryptographic operation for processing right-hand data 

10 derived from the data and a combinatory operation for 

combining, with the left-hand data derived from the data, 
the processed right-hand data in order to form modified 
left-hand data, in which the right-hand data, prior to 
the first step, is combined with a primary auxiliary 

15 value and the left-hand data is combined with an 

additional auxiliary value. As a result, the data used 
in the steps and transferred between the steps is masked. 

[0024] In order to make it poooiblc for the primary 
20 and additional auxiliary values do not make themselves 

felt in not to overly affect the end result of the 
process, the right-hand data is combined, preferably 
immediately after the last step, with a further primary 
auxiliary value, and the modified left-hand data is 
25 combined with a further additional auxiliary value. 

[0025] In order not to have that the result of the 
operations is not affected by the primary auxiliary 
values, the method according to the invention is 
30 preferably carried out in such a manner that the right- 

hand data, in each step and prior to the operation, is 
combined with the primary auxiliary value of said that 
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step. A further protection is achieved if the processed 
right-hand data, following the processing, is combined 
with a secondary auxiliary value of oaid that step. 

5 [0026] The secondary auxiliary value of a given step 

is advantageously formed from the combination of the 
primary auxiliary value of the preceding step and the 
primary auxiliary value of the next step. 

[0027] As a result, it becomes possible to compensate 
the auxiliary value in the repeatedly next step, as a 
result of which oaid the auxiliary value will not make 
itaclf felt in overly affect the end result of the 
process. 

[0028] It is possible to carry out the method 
according to the invention in such a manner, that all 
primary auxiliary values are equal. As a result, a very 
simple practical realization is possible. The use of 
several auxiliary values, which are preferably random 
numbers and are newly generated anew for each time the 
process is carried out, however, offers a greater 
cryptographic security . 

25 [0029] A further simplification of oaid the embodiment 

may be obtained if the primary auxiliary values and/or 
secondary auxiliary values repeatedly have been combined 
in advance with the operation in question. This is to 
say, combining with auxiliary values is processed in the 

30 operation in question (e.— g. , a substitution)— in such a 

manner that the result of the that operation in qucotion 
is equal to that of the original operation plus one or 
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two combinatory operations with auxiliary values. By in 
advance including in the operation the combinatory 
operations, a more pimple simpler and faster practical 
realization is possible. 

[0030] Said Such combinatory operations are preferably 
carried out using an XOR operation [XOR = exclusive OR] . 
Other combinatory operations, however, such as binary 
adding, are basically possible as well. 

[0031] The invention further provides a circuit for 
carrying out a method for cryptographically processing 
data. In addition, the invention supplies a payment card 
and a payment terminal provided with such circuit. 

[0032] Below, the invention will be further explained 
on the basis of the exemplary embodiments shown in the 
figures . 



20 [0033] BRIEF DESCRIPTION OF THE DRAWINGS 

[0034] FIG. 1 schematically shows a cryptographic 
process according to the prior art. 

25 [0035] FIG. 2 schematically shows a first 

cryptographic process according to a first embodiment of 
the invention. 

[0036] FIG. 3 schematically shows a second 

30 cryptographic process according to a first embodiment of 

the invention. 
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[0037] FIG. 4 schematically shows a way in which— the 
processes of figures FIG. 1 and 2 may be carried out. 



[0038] FIG. 5 schematically shows a cryptographic 
5 process having several steps according to the prior art . 

[0039] FIG. 6 schematically shows a first 
cryptographic process according to a second embodiment of 
the invention. 

10 

[0040] FIG. 7 schematically shows a second 
cryptographic process according to a second embodiment of 
the invention. 

15 [0041] FIG. 8 schematically shows a third 

cryptographic process according to a second embodiment of 
the invention. 

[0042] FIG. 9 schematically shows a circuit in which 
20 the invention is applied. 

[0043] FIG. 10 schematically shows a payment system in 
which the invention is applied. 

25 [0044] PREFERRED EMBODIMENTS 

[0045] A (cryptographic) process P according to the 
prior art is schematically shown in FIG. 1. To the 
process P, there are fed input data X and a key K. On 
30 the basis of the key K, the process P converts the input 

data X into (cryptographically) processed output data Y: 
Y = PK (X) . The process P may be a known cryptographic 
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process, such as DES (Data Encryption Standard) , triple 
DES, or RSA (Rivest, Shamir & Adleman) . 

[0046] If the input data X and the output data Y are 
5 known, it is basically possible to derive the key K used. 

In the event of a key of sufficient length (i.e., a 
sufficient number of bits) , it was so far deemed 
impossible to derive said the key, even if the process P 
were known. Impossible in this case is to say that in 
10 theory it is admittedly possible, e.—g., by trying out 

all possible keys, to retrieve the key used, but that 
such requires an impossibly long computational time. 
Such "brute-force attack" is therefore hardly a threat to 
the cryptographic security. 

15 

[0047] Attacks recently discovered, however, make use 
of knowledge of the process, as a result of which the 
number of possible keys may be reduced drastically. 
Deriving the key K used and/or the input data X from the 
20 output data Y therefore becomes possible within 

acceptable computational times. 

[0048] The principle of the invention, whose object it 
is to render such attacks considerably more difficult and 
25 time-consuming, is schematically shown in FIG. 2. Just 

as in FIG. 1, to a (known) process P there are fed input 
data X and a (secret) key K to generate output data Y. 

[0049] Contrary to the situation of FIG. 1, in the 
30 situation of FIG. 2 the key K is fed to the process P 

from a supplementary process P* . The supplementary 
process P* has a supplementary (secondary) key K* as 
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input data to produce, under the influence of an 
auxiliary key K' , the (primary) key K as output data. The 
key K is therefore not fed, as is the case in the 
situation of FIG. 1, from an external source (e.— g., a 
5 memory) to the process P, but is produced by the process 

P* from the supplementary (secondary) key K* : 

K = P* K ' (K*) . 

10 [0050] It is therefore the secondary key K* , instead 

of the primary key K, which is predetermined and stored, 
e.g., in a key memory (not shown). According to the 
invention, the primary key K, which is fed to the process 
P, is not predetermined. 

15 

[0051] The auxiliary key K' may be a permanently 
stored, predetermined key. It is also possible to apply 
a supplementary process P* in which no auxiliary key K' 
is used. 

20 

[0052] The combination of the processes P and P* forms 
a new process which is schematically designated by Q. To 
the process Q which, on account of the supplementary 
process P*, is unknown per se, the input data X and the 
25 (secondary) key K* are fed to produce the output data Y. 

The relationship between the secondary key K* and the 
primary key K is veiled by the supplementary process P* . 

[0053] The supplementary process P* preferably is the 
30 inverse of another, invert ible process R. This is to 

say: 
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P* = R" 1 



[0054] This enables producing the secondary key K* 
from the primary key K using R and the auxiliary key K ! — : 

5 

K* = R K < (K) , 

as will be further explained later by reference to FIG. 
5 . The new process Q may possibly be extended by the 
10 process R, in such a manner that the primary key K, 

instead of the secondary key K*, is fed to the process Q. 
The primary key K in this case in the process Q is 
derived from: 

15 K = P* K . (K*) = P* K ' (Rk- (K) ) . 

This enables using the same (primary) key as in the prior 
art . 

20 [0055] The cryptographic process Q according to the 

invention, schematically shown in FIG. 3, also comprises 
a process P having a primary key K and a supplementary 
process P* having an auxiliary key K 1 , the primary key K 
being derived from the supplementary key K* by the 

25 supplementary process P* . Supplementing the process of 

FIG. 1, in this case the input data X is also fed to the 
supplementary process P*, in such a manner that the 
primary key K is determined partly as a function of the 
input data X: 

30 

K = P*k< (K*, X) . 
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[0056] As a result, there is obtained a supplementary 
cryptographic protection. In addition, as a result the 
possibility is offered to carry out the supplementary 
process P* exclusively if certain input data is offered. 
5 This is "to say that the supplementary process P* may 

comprise a test of the input data X, and carrying out the 
supplementary process P* may depend on the result of said 
that test . Thus, the supplementary process P*, e.g., may 
be carried out only if the last two bits of the input 

10 data X equal zero. The effect of such an input 

data -dependent operation is that only for certain input 
data X the correct primary key K will be produced in such 
a manner that only paid that input data will deliver the 
desired output data Y. It will be understood that as a 

15 result the cryptographic security is further enhanced. 

[0057] FIG. 4 schematically shows the way in which 
substeps of the processes P and P* may be carried out 
alternatingly ("interleaving") in order to further 
20 enhance the protection against attacks. The substeps may 

include so-called "rounds", such as, e.g., in the case of 
DES. The substeps, however, preferably comprise only one 
or a few instructions of a program, with which the 
processes are being carried out. 

25 

[0058] In a first step 101, there is carried out a 
first substep Pi of the process P. Subsequently, in a 
second step 102, the first substep Pi* of the 
supplementary process P* is carried out. 

30 

[0059] Likewise, in a third step 103, the second 
substep P2 of the process P is carried out etc. This 
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continues until, in step 110, the last substep P n * of the 
supplementary process P* has been carried out, it being 
assumed, for the sake of the example, that the processes 
P and P* comprise an equal number of substeps . If such 
5 is not the case, in step 110 there is carried out the 

last corresponding substep, and in further steps the 
remaining substeps are carried out . 

[0060] By alternating the substeps of the process P, 
10 which is known per se, and the process P* (possibly known 

per se as well) , there may be obtained a series of 
substeps which does not correspond to that of a known 
process. As a result, the nature of the process is more 
difficult to recognize. 

15 

[0061] The cryptographic process P schematically 
shown, only by way of example, in FIG. 5, according to 
the prior art comprises several steps Si (i.e., Si, 
S 2/ . . ., S n ) . In each step Si, (right-hand) data RDi is 

20 fed to a cryptographic operation Fi. Said The 

cryptographic operation may itself comprise a number of 
substeps, such as an expansion, a combination with a key, 
a substitution and a permutation which, however, have not 
been designated separately for the sake of the simplicity 

25 of the drawing. The cryptographic operation Fi provides 

processed data FDi : 

FDi = Fi (RDi) . 

30 In a combinatory operation CCi (CCi, CC 2 , the index i 

always indicating the step S in question) , the processed 
data FDi -is combined with left-hand data LDi to form 
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modified (left-hand) data SDi which, just as the original 
right-hand data RD, is passed on to the next step. The 
combinatory operations CCi preferably are XOR operations 
(symbol : ©) . 

5 

[0062] As is shown in FIG. 5, at the end of each step 
Si the modified left-hand data SDi and the right-hand 
data RDi change positions in such a manner that they form 
the right-hand data RD i+1 and the left-hand data LD i+1 of 
10 the next step Si+i- 

[0063] The left-hand data LDi and the right-hand data 
RDi of the first step Si were derived, in a preceding 
operation, from input data X and, in doing so, may 
15 undergo a preparatory processing, such as an input 

permutation. The output data SD n and RD n of the last 
step S n form the processed data Y of the process P, 
possibly after it has undergone a final operation, such 
as an output permutation PP" 1 . 

20 

[0064] The cryptographic process of FIG. 6 largely 
corresponds to that of FIG. 5. In accordance with the 
invention, the data present in and between the steps is 
masked with auxiliary values. For this purpose, in this 

25 embodiment the first step Si is preceded by (preparatory) 

combinatory operations DC and EC, which are preferably 
XOR operations as well. They combine the left-hand data 
LDi, and the right-hand data RDi, respectively, which 
originate from the preparatory processing operation (PP) , 

30 with a zeroth auxiliary value A 0 and a first auxiliary 

value Ai. The results of the combinatory operations DC 
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and EC are left-hand masked data LD'i and right-hand 
masked data RD'i, respectively (in the continuation of 
this text, masked data will be designated by an 
apostrophe) . The maskings make themselves felt in the 
5 subsequent steps. Since the left-hand data of the second 

step S 2 is equal to the masked right-hand data of the 
first step Si, paid then the left-hand data LD' 2 is 
masked as well. The right-hand data -RD' 2 of the second 
step is masked since it is equal to the masked, modified 
10 data SDi' . 

[0065] Combining the data LDi and RDi with the 
auxiliary values Ai therefore results in the modified 
data LDi' and RDi' being masked, as a result of which it 
15 is considerably more difficult to derive the original 

data X or the key used from the masked data LDi 1 and 
RDi f . 

[0066] In order to remove the auxiliary values Ai prior 
20 to the final operation (PP" 1 ) , there are provided completing 

combinatory operations FC and GC, which combine the 
modified and masked left-hand data SD' n of the last step S n 
with an auxiliary value A n +i and the masked right-hand data 
RD' n with an auxiliary value A n , respectively. On account 
25 of Ai ®, Ai being zero in this manner the maskings are 

removed by the auxiliary values Ai . As a result, it is 
possible to carry out the method in such a manner that, 
notwithstanding the use of the auxiliary values Ai, the 
final data Y is equal to that which would have been 
30 obtained by the conventional method according to FIG. 5. 
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[0067] In order to exclude the effect of the auxiliary 
values Ai on the results FDi of the operations Fi, in 
each step Si there is preferably present a supplementary 
combinatory operation ACi which combines the right-hand 
5 data RDi with a (primary) auxiliary value Ai before this 

data is fed to the cryptographic operation Fi. The 
result of each supplementary combinatory operation ACi is 
non-masked right-hand data RDi, so that the cryptographic 
operation Fi works on the same data as in the process of 
10 FIG. 5. 

[0068] There may be advantageously inserted a further 
combinatory operation BCi between the cryptographic 
operation Fi and the combinatory operation CC± with the 

15 purpose of combining the processed (right-hand) data FDi 

with a further (secondary) auxiliary value Bj.. As a result, 
there may be achieved a masking of the processed data FDi 
and a further masking of the (modified) left-hand data SD'i. 
The combinatory operations ACi and BCi preferably are XOR 

20 operations as well. 

[0069] In accordance with a further aspect of the 
invention, the auxiliary values Ai and Bi are related. The 
secondary auxiliary values Bi are formed, preferably using 
25 an XOR operation, from the first auxiliary value Ai_i of the 

previous step and the auxiliary value Ai +1 of the next step: 

Bi =Ai-i © A i+ i 

This results in each primary auxiliary value Ai +i which, 
30 using a further supplementary combinatory operation BCi, is 

combined with the processed right-hand data FDi as an 
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ingredient of the secondary auxiliary value Bi, repeatedly 
being compensated in the next step, i.e., step Si+i, by 
means of a combinatory operation ACi before the right-hand 
data RDi+i is subjected to the operation Fj.. The (masked) 
5 right-hand data RD'i in question, which forms the (masked) 

left-hand data LD'i +:L of the still next step S i+2 are combined 
there with the primary auxiliary value Ai +i and is 
compensated in this manner. The auxiliary value Ai+i makes 
itself felt in the modified data SD'i, in such a manner that 
10 this remains masked between two steps. 

[0070] The left-hand data LD'iof the first step Si is 
masked with the additional or zeroth (primary) auxiliary 
value A 0 . By combining, with the secondary auxiliary value 
15 Bi = A 0 © A 2 , the initial auxiliary value A 0 is removed (on 

account of A 0 © A 0 being zero) , but the auxiliary value A 2 
and the masking achieved therewith are maintained. The 
zeroth auxiliary value A 0 in this embodiment is preferably 
chosen equal to the first auxiliary value Ai . 

20 

[0071] Although all primary auxiliary values Ai are 
preferably chosen to be different, with the exception of A 0 
= Ai, it is possible to choose all primary auxiliary values 
Ai to be equal. In this case, all secondary auxiliary 
25 values Bi in the embodiment shown will be equal to zero, so 

that the further combinatory operations BCi may be omitted. 
The invention further applies to processes P which contain 
only one step S, or have a deviating structure. 

30 [0072] In the process of FIG. 7, which largely 

corresponds to that of FIG. 6, the combinatory operations 
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ACi and BCi and the cryptographic operation Fi in each step 
are integrated to form a combined operation F'i. Integrating 
the combinatory operations in the operations Fi is possible 
by suitably adjusting, e.g., a substitution table of the 
5 operation Fi. As a result, the supplementary combinatory 

operations ACi and BCi may be omitted and the result of the 
adjusted operation Fi' is equal to the result of the total 
of the operation Fi proper and the combinatory operations: 

10 FD'i= F'i (RD'i) = Bi © Fi (A± © |RD' i|) . 

[0073] Basically, each step Si requires a different 
combinatory operation Fi in which various auxiliary values 
Ai are integrated (see FIG. 6) . Only if the auxiliary 
15 values Ai are chosen equal, i.e., A1=A2 =... = A n , the 

combinatory operations Fi in this embodiment may be equal. 

[0074] Each time the process is carried out, the values 
Ai are preferably chosen anew. For the process of FIG. 7, 

20 this means that the combined operations Fi' are then 

determined anew. Since the operations F'i in many 
implementations will comprise the use of several tables, 
such as substitution tables, said tables will be determined 
anew each time the process P is carried out. In order to 

25 offer a supplementary protection against attacks, according 

to a further aspect of the invention the tables will be 
determined in random order. If a combined operation F'i 
comprises, e.g., eight tables, said these eight tables will 
be determined in another order each time aaid the operation 

30 F'i is carried out a new. — Said anew. The order may be 

determined on the basis of the contents of an order 
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register, which contents may each time be formed by a 
random number originating from a random-number generator. 
On the basis of the contents of the order register there 
may each time be composed a fresh lookup table. Using the 
5 lookup table, the tables may be written to a memory and 

later be read out. 

[0075] According to a further aspect of the invention, 
supplementing this or instead thereof, the elements of each 
10 table may be determined and/or stored in random order. 

With this measure , improved it is achieved that the 
protection against attacks is also improvGd achieved . In 
this case, too, there may be applied a lookup table on the 
basis of which the elements may later be retrieved. 

15 

[0076] The measures referred to above may also be 
applied in another embodiment of the invention, such as the 
one of FIG. 8, or in completely different other processes, 
whether cryptographic or not . 

20 

[0077] The embodiment of FIG. 8 largely corresponds to 
that of FIG. 7. Supplementing FIG. 7, each step Si, with 
the exception of the last step S n/ includes a combinatory 
operation HCi which combines the right-hand data RD'i with a 
25 tertiary auxiliary value Wi. The tertiary auxiliary value 

Wi preferably equals the XOR combination of the auxiliary 
values A 0 and A^: 

W = A 0 © Ai, 

where A 0 * Ai . 

30 
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[0078] This results in the operation HCi always adding 
the zeroth auxiliary value A 0 and compensating the first 
auxiliary value A x . As a result, it is possible that all 
cryptographic operations F± are essentially identical, which 
5 requires a much smaller processing and/or storage capacity 

from a processor system with which the method is carried 
out. In the embodiment of FIG. 8, the operations F"i are 
such adjustments of the original operations Fi, that these 
are corrected for the auxiliary value Ai and in addition 
10 combine the tertiary auxiliary value W = A 0 ©. .Ai with their 

result. In other words, if RDi © Ai is fed to F"|i|, the 
result will be equal to: 



FD'i=Fi(RDi) © W. 

15 

[0079] It will be understood by those skilled in the art 
that the combinatory processes ACi, BCi and HCi may be 
carried out in different locations in the cryptographic 
process P to achieve a comparable or even identical effect. 

20 

[0080] FIG. 9 schematically shows a circuit 10 for 
implementing the method according to the invention. The 
circuit 10 comprises a first memory 11, a second memory 12 
and a processor 13, the memories 11 and 12 and the 

25 processor 13 being coupled using a data bus 14 . By 

providing two memories, it is possible each time to carry 
out a substep of one of the processes P and P* (see 
FIG. 4), to store the result of said substep in, e.-g., the 
first memory 11, and from the second memory 12 to transfer 

30 a previous interim result from the other process to the 

processor 13. In this manner, it is possible to 
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efficiently carry out the alternating computation of 
substeps of two different processes. 

[0081] The payment system schematically shown in FIG. 10 
5 comprises an electronic payment means 1 and a payment 

station 2. The electronic payment means 1 is, e.g., a so- 
called smart card, i.e., a card provided with an integrated 
circuit for storing and processing payment data. The 
payment station 2 comprises a card reader 21 and a 
10 processor circuit 22. The processor circuit 22 may 

correspond to the circuit 10 of FIG. 9. 

[0082] At the beginning of a transaction, the payment 
means 1 transmits an identification (card identification) 

15 ID to the payment station 2. By reference to paid the 

identification, the payment station 2 determines a key 
which will be used for said transaction. Said The 
identification ID may be fed as input data X (see the 
figures 1-3) to a cryptographic process which, on the basis 

20 of a master key MK (not shown) , produces an identification- 

dependent transaction key K ID as output data Y. In 
accordance with the invention, for this purpose the process 
shown in the figures FIG. 2 and 3 is used, the master key 
MK having been converted in advance, using a process R, 

25 into a supplementary master key MK* . Said The 

supplementary master key MK* is now fed, preferably 
together with the identification ID, in accordance with 
FIG. 3, to the supplementary process P* in order to 
reproduce the original master key MK and to derive the 

30 transaction key K ID from the identification ID. 
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[0083] Although, in the figures FIG. 2 and 3, there is 
always shown one single supplementary process P*, there may 
possibly be used several processes P*, P**, p***, ... in 
series and/or in parallel to derive the primary key K. 

[0084] It will be understood by those skilled in the art 
that many modifications and amendments are possible without 
departing from the scope of the invention. 
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